Privacy protection for smart metering data

ABSTRACT

Metering of a physical characteristic is described, in which a stochastic approach is taken. A random signal is generated on the basis of a metering signal, with a view to maximising a statistical distance between the two. The random signal and the metering signal are mixed together to obscure characteristics of the metering signal which could otherwise divulge private information to third parties.

FIELD

Embodiments described herein relate to privacy protection of datacollected in smart metering.

BACKGROUND

Smart metering offers an opportunity to collect and store information(such as power consumption) from a utility grid at household level withincreased granularity. Although current policy regulations arerestrictive from the point of view of the collected data reuse, thestorage of this data opens up a possibility for its misuse. If thecollected and stored data become available to parties other than theintended user (in this case a utility company), such as law enforcementagencies, marketing agencies and malicious individuals, this couldrepresent a privacy and/or security risk for consumers.

The term “smart grid” is a recently coined term which represents a largenumber of different technologies aiming at improving existing electricalpower distribution networks. Existing power distribution networks tendto be of an aging character, and one of the general goals of smart gridtechnology is to bring intelligence into networks to improve efficiencyand robustness such that they will be more capable of responding to newhigher consumption demands.

One way to adjust to new demands is to employ communication and controlnetworks which will enable a frequent scanning of the power networkstate and carrying out appropriate actions to provide its stability andfunctionality.

Power data is being collected with increased granularity. Storage ofthis detailed data in the smart grid introduces concerns aboutconsumers' privacy. These concerns may be justified by the use ofnon-intrusive appliance load monitors (NALM), which analyse powersignals to track appliance usage patterns. Research suggests thatinformation gathered from the power signals accompanied with otheravailable information can be used to build profiles of house occupants.This could represent a serious privacy threat both for individuals, andfor companies and government organisations.

One way of addressing privacy requirements is to develop regulatory dataprivacy frameworks and policies, based on standard privacy principlessuch as notice, choice and consent. Anonymity services can also helpprotect privacy. For example, metering data can be aggregated andencrypted. Alternatively, the data can be separated into low frequencyattributable data (for example, data used for billing) and highfrequency anonymous technical data (for example, data used fordemand-side management).

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic diagram of a smart meter in accordance with adescribed embodiment;

FIG. 2 is a schematic diagram of a signal concealment unit of the smartmeter illustrated in FIG. 1;

FIG. 3 is a graph of typical output of the smart meter illustrated inFIG. 1;

FIG. 4 is a graph of test results for a deterministic method ofconcealment; and

FIG. 5 is a graph of test results for a stochastic method ofconcealment, in accordance with an example of operation of a smart meterof a described embodiment.

DETAILED DESCRIPTION

Classical methods of privacy protection assume that there is a threatoutside the system from which the system should be protected. However,another type of threat comes from within the system; for example, theutility company which collects the data could misuse the data, breachingthe privacy of their customers. Methods which address this type ofthreat have been introduced recently. For example, an alternativeprotection scheme has been proposed in which energy flow within a homeis controlled by running a portion of a consumption demand off arechargeable battery, rather than directly off the grid. That methodtends to keep the value of the transformed signal constant as long asbattery capacity allows. Generally speaking, in accordance withinformation theory, the low variability of the signal corresponds to alow amount of information exposed by the signal. Thus, an intruder willobtain only limited amount of information about the consumer if thetransformed signal is observed. That approach transforms a consumerpower signal in such a way to mask appliance usage patterns; thetransformed signal is then sent to the utility company. Of course, thetransformed signal has to retain certain features of the original signalwhich are operationally important to the utility company. However, theutility company will not obtain details which, if misused, couldrepresent a privacy threat.

To protect the privacy of the consumer, embodiments described hereinprovide an appropriate signal mapping which transforms collected powerconsumption data into a form which hides information critical forconsumers' privacy. On the other hand, the transformation preservescertain features of the collected data which are important for operationof the utility company. The transformed data is further available to theutility company.

Embodiments described herein employ a stochastic method for privacyprotection which is based on an information theoretic measure for adistance between two probability distributions, known as divergence. Thedescribed method is a stochastic scheme that maximizes the distancebetween the distribution of the collected data and the distribution ofthe transformed data while at the same time it preserves importantfeatures of the originally collected signal. From this point of view,embodiments of the described method can be made optimal, to give thebest possible protection against an intruder.

An embodiment provides a method to transform a smart metering data toprotect the privacy by using a stochastic mapping.

The above described method can involve mixing of a random signal withthe collected smart metering data producing the transformed outputsignal.

The random signal may be generated according to a distribution whichmaximizes the distance between the collected smart metering data and thetransformed data distributions.

The distance between two distributions may be measured by one ofinformation or measure theory distances (for example K-divergence).

A battery may be used to moderate the transformed signal.

One aim which may be achieved by certain embodiments described herein isto enable a smooth transition to the smart grid without compromisingprivacy.

To measure the performance of privacy algorithms, embodiments describedherein apply an information theoretic measure known as K-divergence.Previously proposed algorithms do not optimize the performance withrespect to the performance measures, so in this disclosure methods areproposed which maximize the distance between the collected power dataand the transformed data (available to the utility company) with respectto K-divergence. The assumption is that the larger the distance betweencollected power data and transformed data, the better the dataprotection. Improvements in performance become achievable by theintroduction of randomness into the method.

FIG. 1 provides a schematic illustration of a smart meter 10implementing the embodiment described herein.

The smart meter 10 is illustrated in situ installed on a single phase ACpower supply, with a live rail and a neutral rail. An earth rail wouldno doubt also be present, but is omitted for clarity.

The meter 10 comprises a current sensor 12 on the live rail, and avoltage sensor 14 between the live rail and the neutral rail. Outputsfrom the sensors 12, 14 feed into an analogue to digital converter (ADC)16 which passes quantised voltage and current data to a processing unit20. The processing unit 20 in use produces a consumer power signal p(t)which could, in a simple case, be passed directly back to a consumerpower supply utility. In the present embodiment, however, the powersignal p(t) is passed to a signal concealment unit 30.

In general terms, the purpose of the signal concealment unit 30 is toapply a mapping

to p(t) to obtain a transformed signal p_(M)=

(p). p_(M)(t) is made available to the utility company, and theprobability distribution of p_(M)(t) is at a distance as large aspossible from the probability distribution of p(t). This conceals, fromthe utility company, and from any third parties, the exact nature ofpower consumption behaviour of the metered party.

The signal concealment unit 30, of a first example of the embodiment, isillustrated in FIG. 2. The signal concealment unit 30 comprises a randomsignal generator 32 and a signal subtractor 34. The random signalgenerator 32 is operable to generate a random signal p_(MR)(t) whoseprobability distribution is chosen in a manner which will be describedin due course.

The signal p_(MR)(t) is mixed with the signal p(t) obtained from thesmart meter 20 and then further processed by a battery algorithm unit 36to generate the transformed signal p_(M)(t). The battery algorithm unit36 relies on a battery 38 to assist in moderating the consumer powersignal p(t). The computation of the p_(MR)(t) probability distributionand the operation of the battery algorithm are explained below.

Computation of Optimal p_(MR)(t) Distribution

The distribution of p_(MR)(t) is obtained by solving a constrainedoptimization problem which is described next. The solution is based onthe Markov chain representation of p(t) and p_(MR)(t).

First, an objective function and constraints are defined. The objectivefunction can be expressed in terms of information divergence function,for example, the K-divergence. For two probability distributions P₁(x)and P₂(x), the K-divergence is defined by

${K\left( {P_{1}{}P_{2}} \right)} = {\sum\limits_{x}{{P_{1}(x)}\ln \; \frac{2P_{1}(x)}{{P_{1}(x)} + {P_{2}(x)}}}}$

A conditional K-divergence is also defined following a definition of theconditional Kullback-Leibler divergence [T. M. Cover and J. A. Thomas,“Elements of information theory” John Wiley & Sons, Inc. New York, N.Y.,USA, 2006]. For two conditional probability distributions P₁(y|x) andP₂(y|x), the conditional K-divergence is defined by

${K_{yx}\left( {P_{1}{}P_{2}} \right)} = {\sum\limits_{x}{{P_{1}(x)}{\sum\limits_{y}{{P_{1}\left( {yx} \right)}\ln \; \frac{2{P_{1}\left( {yx} \right)}}{{P_{1}\left( {yx} \right)} + {P_{2}\left( {yx} \right)}}}}}}$

The conditional K-divergence is required since Markov chains are used tomodel the signals p(t) and p_(MR)(t).

One way to represent a continuous amplitude signal (such as p(t) andp_(MR)(t) by a Markov chain is to quantize or cluster it into Mclusters. Then, a Markov chain representation of the signal ischaracterized by its transition probability matrix T:=[t_(ij)], 1≦i,j≦M,where t_(ij)=Pr{i|j} is the conditional probability of moving from statej to state i. When the signal is clustered into M clusters, t_(ij)represents the probability of moving from cluster j to cluster i.

The transition probability matrices of the Markov chain representationsof p(t) and p_(MR)(t) are denoted T and T_(MR), respectively. Then, theconditional K-divergence between the signals p_(MR)(t) and p(t) is theobjective function of the optimization problem and is written as

${K_{ij}\left( {T_{MR}{}T} \right)} = {\sum\limits_{j}{{P_{pMR}(j)}{\sum\limits_{i}{t_{{MR},{ij}}\ln \; \frac{2t_{{MR},{ij}}}{t_{ij} + t_{{MR},{ij}}}}}}}$

Here, P_(pMR) represents the steady-state distribution of p_(MR)(t)[Cover and Thomas]. The constraints on the optimization problem comefrom the requirements that the modified signal p_(M)(t) retain certaincharacteristics of the consumer power signal p(t), for example in termsof a mean value E[p_(MR)(t)]=E[p(t)] and varianceVar[P_(MR)(t)]=Var[p(t)]. Hence, the optimization problem can be definedas

$\max\limits_{T_{MR}}\; {K_{ij}\left( {T_{MR}{}T} \right)}$

subject to

E[p_(MR)(t)]=E[p(t)]

Var[p_(MR)(t)]=cVar[p(t)]

where c is a positive constant. This optimization problem can be solvednumerically giving the matrix T_(MR) ^(a) which maximizes theK-divergence. The signal p_(MR)(t) is now created by the random number(Markov) generator and mixed with p(t).

From the above consideration, it can be seen that the underlyingprinciple embodied in the method is the construction of a distributionfor the signal p_(MR)(t) which will produce a modified signal p_(M)(t)whose distribution is far away from the distribution of p(t) as measuredby the K-divergence.

Battery Algorithm

The described battery 38 is a source of a battery signal p_(B)(t). Thebattery 34 has the following characteristics:

-   -   1. The battery has a finite energy capacity E_(C) (hence, it has        to maintain its energy by recharging), i.e. 0≦∫₀ ^(t) ¹        p_(B)(t)dt≦E_(C) for all t₁ε[0,T] (assuming that for t₁=0, the        battery is fully charged).    -   2. The battery has a maximum discharge and recharge power of        P_(D) and P_(R), i.e. −P_(R)≦p_(B)(t)≦P_(D) for all t.

As can be seen from FIG. 2, the input to the battery algorithm unit 36is the difference between p(t) and p_(MR)(t). The differencep(t)−p_(MR)(t), denoted by p′_(B)(t), is dealt with by the batteryalgorithm. The battery 38 recharges or discharges depending on itscurrent state and on the size and sign of p′_(B)(t). Ifp(t)−p_(MR)(t)=p′_(B)(t)>0 the battery discharges by p′_(B)(t);otherwise, it recharges by |p′_(B)(t)|. Here, it is assumed that:

-   -   1. |p′_(B)(t)|≦P_(D)=P_(R)    -   2. the battery capacity ∫₀ ^(t) ¹ p_(B)(t)dt is in such a state        that it can be discharged/recharged by |p′_(B)(t)|.

Then, the output of the battery algorithm unit 36 is given byp_(M)(t)=p_(MR)(t). If the conditions 1) and 2) are not satisfied, thebattery algorithm unit 36 has to modify the signal p_(MR)(t) so itcomplies to the conditions 1) and 2).

The described approach introduces a random source p_(MR)(t) with theoptimal distribution as the input to the battery algorithm. Thissituation is illustrated in FIG. 3. It can be seen that the outputp_(M)(t) is a random signal which has the same mean value as the inputsignal p(t).

It will be observed through an example (set out below) that theK-divergence between p_(M)(t) and p(t) is larger for the describedstochastic method than for previously proposed deterministic approaches.

Other Embodiments

The described approach can also be used in cases where differentconstraint functions (requirements) are imposed by the system. In such acase, the optimization problem is modified and the obtained p_(MR)(t)may also be modified, which will ultimately result in a differentp_(M)(t), and in a different level of measured privacy protection.

More specifically, the following example considers a case wherein asystem (for example utility or a user) applies further constraints.There could be different reasons underpinning this requirement. Forexample, the utility may wish the consumer to exhibit more stable powerconsumption. That is, in this case, the utility may wish p_(M)(t) to becloser to p_(M)(t−1). According to this alternative embodiment, anattempt is made to maximise the K-divergence between p_(MR)(t) and p(t)with the given constraints. In one possible alternative implementation,it is desired to bound p_(MR)(t) so that p_(MR)(t) is close to p_(M)(t).

In all cases, it will be noted that the success of obtaining a powerconsumption p_(M)(t) that is equal to p_(MR)(t), or p_(M)(t−1), dependson the physical battery energy/power limitations.

In general, other alternative optimization problems may be considered,where the signals p_(MR)(t) and/or p′_(B)(t) are further modified.

In the following the performances of previously disclosed deterministicmethods are compared with a particular example of the above describedembodiment (which uses a stochastic approach). In this example, the sizeof the battery is P_(D)=P_(R)=1 kW/E_(C)=2 kWh. For the input signalp(t), real data are used, obtained by measuring the overall powerconsumption (mains) in an apartment for 30 days. The sampling intervalis chosen to be T_(S)=30 s.

FIG. 4 and FIG. 5 show typical input and output signals fordeterministic and stochastic privacy methods, respectively. The twofigures underline an evident difference between the two approaches; thedeterministic approach tends to smooth the input data, while thestochastic method gives very noisy output p_(M)(t). If the measure ofthe performance is the K-divergence, its value for the deterministicalgorithm is 0.25 while for the stochastic approach it is 0.44. Themaximum value for the K-divergence is 0.69≅ln 2. The efficiency of thestochastic method is 0.44/0.69=0.64, while for the deterministic methodit is 0.25/0.69=0.36. So, this particular example provides a performanceimprovement over the deterministic approach used as a comparison.

Similar ratios are obtained when the size of the battery is varied. Forexample, when P_(D)=P_(R)=1.2 kW/E_(C)=2.4 kWh, the K-divergence for thestochastic method is 0.4691, while for the deterministic case 0.2759.

While the above description suggests the implementation of a smart meterin accordance with a described embodiment by way of hardware, the readerwill appreciate that processing of a signal can be implemented insoftware on a suitable software configurable signal processingapparatus. The software may be embodied in the form of a computerprogram, delivered as a computer program product. The computer programproduct may be in the form of a carrier medium, such as a storagemedium, for example an optically readable disk or a solid stateelectronic storage device. On the other hand, the carrier medium may bein the form of a signal, bearing digital information defining thecomputer program product, which may be receivable by the configurablesignal processing apparatus. In one arrangement, the smart meter may beoperable to receive communications on a recognised communicationsprotocol. Appropriately, the smart meter may be operable to receivepowerline communications on a powerline communications protocol, and itmay be by this means that a smart meter, of general construction, mayreceive a computer program product to enable it to be configured inaccordance with a described embodiment.

As will be understood, the computer program product may encompass all ofthe computer executable instructions required for a smart meter toperform in accordance with a described embodiment. Alternatively, acomputer program product could be provided which refers to or usespre-existing (and assumed to be pre-existing) software and hardwarefacilities of the smart meter, such as applications, call-outs androutines. The computer program product could then be described as an“app” or a “patch” depending on whether the computer program productprovides entirely new facilities to the smart meter or if it enhancesexisting facilities. The computer program product may be self executingand delivered without a user's knowledge, or could be retrieved from aremote server by user request, either by controls offered on a controlpanel of the smart meter itself or by a smart meter user interfaceprovided by, for example, wireless connection to a laptop or the like.

While certain embodiments have been described, these embodiments havebeen presented by way of example only, and are not intended to limit thescope of the inventions. Indeed, the novel methods and systems describedherein may be embodied in a variety of other forms; furthermore, variousomissions, substitutions, and changes in the form of the methods andsystems described herein may be made without departing form the spiritof the inventions. The accompanying claims and their equivalents areintended to cover such forms or modifications as would fall within thescope and spirit of the inventions.

1. A metering device for metering a physical characteristic and fordelivering information to a third party on the basis of collectedmetering information, the metering device comprising signal collectingmeans operable to collect a metering signal comprising informationrelating to the metered physical characteristic, random signalgenerating means operable to generate a random signal, signal processingmeans operable to process the metering signal and the random signal toproduce a modified metering signal, and signal emission means operableto emit said modified metering signal to said third party.
 2. A meteringdevice in accordance with claim 1 wherein the random signal generatingmeans is operable to determine a random signal on the basis of thereceived metering signal.
 3. A metering device in accordance with claim2 wherein the random signal generating means is operable to determine adistribution, in time, of the metering signal, and to determine aprobability distribution for the random signal on the basis of thedistribution of the metering signal.
 4. A metering device in accordancewith claim 3 wherein the random signal generating means is operable todetermine the probability distribution of the random signal bymaximising a statistical distance between the probability distributionof the random signal and the distribution of the metering signal.
 5. Ametering device in accordance with claim 4 wherein the statisticaldistance is the K-divergence.
 6. A metering device in accordance withclaim 1 and comprising mixing means for mixing the random signal withthe metering signal to produce a mixed signal.
 7. A metering device inaccordance with claim 6 and further comprising a rechargeable batteryand battery discharge means, the battery discharge means being operableto apply a battery discharge to the mixed signal dependent on thedifference between the mixed signal and the voltage state of thebattery, to produce the modified metering signal.
 8. A method ofmetering a physical characteristic and delivering information to a thirdparty on the basis of collected metering information, the meteringcomprising collecting a metering signal comprising information relatingto the metered physical characteristic, generating a random signal,processing the metering signal and the random signal to produce amodified metering signal, and emitting said modified metering signal tosaid third party.
 9. A method in accordance with claim 8 wherein thegenerating of the random signal comprises determining a random signal onthe basis of the received metering signal.
 10. A method in accordancewith claim 9 wherein the generating of the random signal comprisesdetermining a distribution, in time, of the metering signal, anddetermining a probability distribution for the random signal on thebasis of the distribution of the metering signal.
 11. A method inaccordance with claim 10 wherein the determining of the probabilitydistribution of the random signal comprises maximising a statisticaldistance between the probability distribution of the random signal andthe distribution of the metering signal.
 12. A method in accordance withclaim 11 wherein the statistical distance is the K-divergence.
 13. Amethod in accordance with claim 8 and comprising mixing the randomsignal with the metering signal to produce a mixed signal.
 14. A methodin accordance with claim 13 and further comprising applying a batterydischarge to the mixed signal dependent on the difference between themixed signal and the voltage state of the battery, to produce themodified metering signal.